How to neatly configure Spring WebSecurity












1















I'm currently working on setting up a reverse proxy security domain using Spring Security, and the idea is to require the bearer token on all the requests by default, except for a few exceptions such as signing up etc. Current my configuration function looks as follows:



 @Override

protected void configure(HttpSecurity http) throws Exception {

    http.cors().and().csrf().disable().authorizeRequests()

            .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()

            .anyRequest().authenticated()

            .and()

            .addFilter(new JWTAuthenticationFilter(authenticationManager()))

            .addFilter(new JWTAuthorizationFilter(authenticationManager()))

            // this disables session creation on Spring Security

            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

}


Ant matchers are pretty useful, but you have to pass all the URLs in individually. Is there a way for me to pass in an array of Strings instead so that I can keep the configuration separate?






spring spring-boot spring-security







share|improve this question



























    1















    I'm currently working on setting up a reverse proxy security domain using Spring Security, and the idea is to require the bearer token on all the requests by default, except for a few exceptions such as signing up etc. Current my configuration function looks as follows:



     @Override
    
protected void configure(HttpSecurity http) throws Exception {
    
    http.cors().and().csrf().disable().authorizeRequests()
    
            .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
    
            .anyRequest().authenticated()
    
            .and()
    
            .addFilter(new JWTAuthenticationFilter(authenticationManager()))
    
            .addFilter(new JWTAuthorizationFilter(authenticationManager()))
    
            // this disables session creation on Spring Security
    
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    
}


    Ant matchers are pretty useful, but you have to pass all the URLs in individually. Is there a way for me to pass in an array of Strings instead so that I can keep the configuration separate?






    spring spring-boot spring-security







    share|improve this question

























      1












      1








      1








      I'm currently working on setting up a reverse proxy security domain using Spring Security, and the idea is to require the bearer token on all the requests by default, except for a few exceptions such as signing up etc. Current my configuration function looks as follows:



       @Override
      
protected void configure(HttpSecurity http) throws Exception {
      
    http.cors().and().csrf().disable().authorizeRequests()
      
            .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
      
            .anyRequest().authenticated()
      
            .and()
      
            .addFilter(new JWTAuthenticationFilter(authenticationManager()))
      
            .addFilter(new JWTAuthorizationFilter(authenticationManager()))
      
            // this disables session creation on Spring Security
      
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
      
}


      Ant matchers are pretty useful, but you have to pass all the URLs in individually. Is there a way for me to pass in an array of Strings instead so that I can keep the configuration separate?






      spring spring-boot spring-security







      share|improve this question














      I'm currently working on setting up a reverse proxy security domain using Spring Security, and the idea is to require the bearer token on all the requests by default, except for a few exceptions such as signing up etc. Current my configuration function looks as follows:



       @Override
      
protected void configure(HttpSecurity http) throws Exception {
      
    http.cors().and().csrf().disable().authorizeRequests()
      
            .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
      
            .anyRequest().authenticated()
      
            .and()
      
            .addFilter(new JWTAuthenticationFilter(authenticationManager()))
      
            .addFilter(new JWTAuthorizationFilter(authenticationManager()))
      
            // this disables session creation on Spring Security
      
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
      
}


      Ant matchers are pretty useful, but you have to pass all the URLs in individually. Is there a way for me to pass in an array of Strings instead so that I can keep the configuration separate?






      spring spring-boot spring-security




      spring spring-boot spring-security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 20 hours ago









      NodziGamesNodziGames

      63110




      63110
























          1 Answer
          1






          active

          oldest

          votes


















          0














          http.cors().and().csrf().disable().authorizeRequests()
          
        .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()


          In the above code antMatchers will accept string array also. Below is the implementation of anyMatcher method in spring security 4.2.3.RELEASE. According to the method signature you should be able to pass a string array containing required paths.



              /**
          
 * Maps a {@link List} of
          
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
          
 * instances that do not care which {@link HttpMethod} is used.
          
 *
          
 * @param antPatterns the ant patterns to create
          
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
          
 *
          
 * @return the object that is chained after creating the {@link RequestMatcher}
          
 */
          
public C antMatchers(String... antPatterns) {
          
    return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
          
}


          If you dig into implementation, spring is converting this args into a ArrayList of all paths.



          Also, there is an alternate way. To Ignore the path which shall not be secured by spring security if you are extending spring's WebSecurityConfigurerAdapterclass, override same method again.



          @Override
          
public void configure(WebSecurity web) throws Exception {
          
        web.ignoring().antMatchers("path":);
          
}


          I guess it is neat this way.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54250173%2fhow-to-neatly-configure-spring-websecurity%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            http.cors().and().csrf().disable().authorizeRequests()
            
        .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()


            In the above code antMatchers will accept string array also. Below is the implementation of anyMatcher method in spring security 4.2.3.RELEASE. According to the method signature you should be able to pass a string array containing required paths.



                /**
            
 * Maps a {@link List} of
            
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
            
 * instances that do not care which {@link HttpMethod} is used.
            
 *
            
 * @param antPatterns the ant patterns to create
            
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
            
 *
            
 * @return the object that is chained after creating the {@link RequestMatcher}
            
 */
            
public C antMatchers(String... antPatterns) {
            
    return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
            
}


            If you dig into implementation, spring is converting this args into a ArrayList of all paths.



            Also, there is an alternate way. To Ignore the path which shall not be secured by spring security if you are extending spring's WebSecurityConfigurerAdapterclass, override same method again.



            @Override
            
public void configure(WebSecurity web) throws Exception {
            
        web.ignoring().antMatchers("path":);
            
}


            I guess it is neat this way.






            share|improve this answer




























              0














              http.cors().and().csrf().disable().authorizeRequests()
              
        .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()


              In the above code antMatchers will accept string array also. Below is the implementation of anyMatcher method in spring security 4.2.3.RELEASE. According to the method signature you should be able to pass a string array containing required paths.



                  /**
              
 * Maps a {@link List} of
              
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
              
 * instances that do not care which {@link HttpMethod} is used.
              
 *
              
 * @param antPatterns the ant patterns to create
              
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
              
 *
              
 * @return the object that is chained after creating the {@link RequestMatcher}
              
 */
              
public C antMatchers(String... antPatterns) {
              
    return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
              
}


              If you dig into implementation, spring is converting this args into a ArrayList of all paths.



              Also, there is an alternate way. To Ignore the path which shall not be secured by spring security if you are extending spring's WebSecurityConfigurerAdapterclass, override same method again.



              @Override
              
public void configure(WebSecurity web) throws Exception {
              
        web.ignoring().antMatchers("path":);
              
}


              I guess it is neat this way.






              share|improve this answer


























                0












                0








                0







                http.cors().and().csrf().disable().authorizeRequests()
                
        .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()


                In the above code antMatchers will accept string array also. Below is the implementation of anyMatcher method in spring security 4.2.3.RELEASE. According to the method signature you should be able to pass a string array containing required paths.



                    /**
                
 * Maps a {@link List} of
                
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
                
 * instances that do not care which {@link HttpMethod} is used.
                
 *
                
 * @param antPatterns the ant patterns to create
                
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
                
 *
                
 * @return the object that is chained after creating the {@link RequestMatcher}
                
 */
                
public C antMatchers(String... antPatterns) {
                
    return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
                
}


                If you dig into implementation, spring is converting this args into a ArrayList of all paths.



                Also, there is an alternate way. To Ignore the path which shall not be secured by spring security if you are extending spring's WebSecurityConfigurerAdapterclass, override same method again.



                @Override
                
public void configure(WebSecurity web) throws Exception {
                
        web.ignoring().antMatchers("path":);
                
}


                I guess it is neat this way.






                share|improve this answer













                http.cors().and().csrf().disable().authorizeRequests()
                
        .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()


                In the above code antMatchers will accept string array also. Below is the implementation of anyMatcher method in spring security 4.2.3.RELEASE. According to the method signature you should be able to pass a string array containing required paths.



                    /**
                
 * Maps a {@link List} of
                
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
                
 * instances that do not care which {@link HttpMethod} is used.
                
 *
                
 * @param antPatterns the ant patterns to create
                
 * {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
                
 *
                
 * @return the object that is chained after creating the {@link RequestMatcher}
                
 */
                
public C antMatchers(String... antPatterns) {
                
    return chainRequestMatchers(RequestMatchers.antMatchers(antPatterns));
                
}


                If you dig into implementation, spring is converting this args into a ArrayList of all paths.



                Also, there is an alternate way. To Ignore the path which shall not be secured by spring security if you are extending spring's WebSecurityConfigurerAdapterclass, override same method again.



                @Override
                
public void configure(WebSecurity web) throws Exception {
                
        web.ignoring().antMatchers("path":);
                
}


                I guess it is neat this way.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 18 hours ago









                ntulsintulsi

                217




                217






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54250173%2fhow-to-neatly-configure-spring-websecurity%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Liquibase includeAll doesn't find base path

                    Image
                    0 while migrating a project from maven to gradle I ran in the following problem. My file structure looks like this: The changelog-master.xml includes the changelog-v1-0.xml, which then should include the directory v1-0 with following line: <includeAll path="src/main/resources/liquibase/changelogs/v1-0/" errorIfMissingOrEmpty="true" /> . This works just fine. This: <includeAll path="/liquibase/changelogs/v1-0/" errorIfMissingOrEmpty="true" relativeToChangelogFile="true" /> doesn't. I get following errormessage: Cannot find base path 'src/main/resources/liquibase/changelogs/changelog-v1-0.xml' with liquibase in version 3.6.2. I also tried the versions 3.6.0, 3.6.1 and 3.5.5. I am using gradle to build my project in version 4.9
                    Read more

                    How to use setInterval in EJS file?

                    Image
                    0 I have a problem with using setInterval in my EJS file, which is part of my nodejs app (with Express). I have created function getRandomSubarray , which chooses randomly subset of images from array. I want to change this subset every three seconds. This is problematic piece of my code: <%setInterval(function(){%> <%RandomSubrecipesImg=tools.getRandomSubarray(recipesImg,4)%> <div class="navbar-image-box col-sm-3 d-none d-sm-block"><img class="navbar-image" src="<%=RandomSubrecipesImg[0].replace('public',"")%>"></div> <div class="navbar-image-box col-sm-3 d-none d-sm-block"><img class="navbar-image" src="<%=RandomSubrecipesImg[1].replace('public',"")%>">&
                    Read more

                    Petrus Granier-Deferre

                    Image
                    Petrus Granier-Deferre (Lutetiae die 27 Iulii 1927 natus; ibidem die 16 Novembris 2007 mortuus) fuit moderator cinematographicus et dux scaenarum Francicus. Pelliculae selectae | 1961 : Le Petit Garçon de l'ascenseur 1962 : Les Aventures de Salavin (sous-titré Confession de minuit) 1965 : La Métamorphose des cloportes 1965 : Paris au mois d'août 1967 : Le Grand Dadais 1970 : La Horse 1971 : Le Chat 1971 : La Veuve Couderc 1973 : Le Fils 1973 : Le Train 1974 : La Race des seigneurs 1975 : La Cage 1975 : Adieu poulet 1976 : Une femme à sa fenêtre 1976 : Le Toubib 1981 : Une étrange affaire 1982 : L'Étoile du Nord 1983 : L'Ami de Vincent 1985 : L'Homme aux yeux d'argent 1986 : Cours privé 1987 : Noyade interdite 1988 : La Couleur du vent 1990 : L'Autrichienne 1995 : Le Petit Garçon 1992 : La Voix 1993 : Archipel 1995 : Maigret et la vente à la bougie (TV) 1996 : La Dernière Fête (TV) 1997 : Maigret et l'enfant de c
                    Read more